Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 8 Dec 2003 17:48:04 +0100
From:      jan.muenther@nruns.com
To:        Roger Marquis <marquis@roble.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: possible compromise or just misreading logs
Message-ID:  <20031208164804.GA92121@ergo.nruns.com>
In-Reply-To: <20031208160428.DDF8FDAE9A@mx7.roble.com>
References:  <20031207200130.C4B1216A4E0@hub.freebsd.org> <Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Sure, unless you're running an Orange book A level system it's
> impossible to secure anything.  But that's a rhetorical argument.

I guess you misunderstood me here. I wasn't arguing that any system can be
broken into - true, but not the point here - but that it's possible to do it
without getting noticed, even if you run Tripwire or a similar product. 

> We're talking about filesystems here.

Well, okay - if we focus on that point alone, Tripwire surely does a good
job. I was just opposing the apodictic statement that it's impossible to
break into a system without Tripwire triggering an alert. I wasn't saying
that it's superfluous to run, just that you shouldn't neglect all other
possible and necessary security measures around it. 

Again, don't get wrong, I'm not one of the bigots who likes to slag off any
security safeguard by saying it can be circumvented. All I was stating is
that even when you have all that in place, you should still stick to best
practices in every other regard. 

> > Apart from that, there are even tools (LKM based) which spoof MD5 checksums.
> Wouldn't effect tripwire.  In addition to MD5 you'd need to spoof
> snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to
> spoof them for, at a minimum, the tripwire binary and its database
> file(s).

Guess that depends on the Tripwire version, too... see
http://www.phrack.com/show.php?p=43&a=14


Cheers, J.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031208164804.GA92121>